qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wesley Holevinski (JIRA)" <j...@apache.org>
Subject [jira] [Created] (QPID-5833) Message's userId check in C++ broker prevents sending messages between different users
Date Thu, 19 Jun 2014 12:47:24 GMT
Wesley Holevinski created QPID-5833:
---------------------------------------

             Summary: Message's userId check in C++ broker prevents sending messages between
different users
                 Key: QPID-5833
                 URL: https://issues.apache.org/jira/browse/QPID-5833
             Project: Qpid
          Issue Type: Bug
    Affects Versions: 0.28
            Reporter: Wesley Holevinski


The lines in question are :

{noformat}
df36b35e qpid/cpp/src/qpid/broker/SemanticState.cpp (Gordon Sim               2012-08-10 12:04:27
+0000 490)     std::string id = msg.getUserId();
ae0f6726 qpid/cpp/src/qpid/broker/SemanticState.cpp (Alan Conway              2011-12-06 15:56:40
+0000 491)     if (authMsg &&  !id.empty() && !session.getConnection().isAuthenticatedUser(id))
63f48b2f qpid/cpp/src/qpid/broker/SemanticState.cpp (Rajith Muditha Attapattu 2008-09-25 18:40:32
+0000 492)     {
d7c67754 qpid/cpp/src/qpid/broker/SemanticState.cpp (Gordon Sim               2008-10-10 16:54:54
+0000 493)         QPID_LOG(debug, "authorised user id : " << userID << " but
user id in message declared as " << id);
d7c67754 qpid/cpp/src/qpid/broker/SemanticState.cpp (Gordon Sim               2008-10-10 16:54:54
+0000 494)         throw UnauthorizedAccessException(QPID_MSG("authorised user id : " <<
userID << " but user id in messag
63f48b2f qpid/cpp/src/qpid/broker/SemanticState.cpp (Rajith Muditha Attapattu 2008-09-25 18:40:32
+0000 495)     }

{noformat}

---

Up until this point, we haven't been using a JMS client; we've found that the JMS client will
insert the userId into the message:

{noformat}
d4d85f06 (Rajith Muditha Attapattu 2008-09-25 18:35:11 +0000 117)         // On the receiving
side, this will be read in to the JMSXUserID as well.
dd2ed172 (Rajith Muditha Attapattu 2008-10-01 19:27:19 +0000 118)         messageProps.setUserId(userIDBytes);
d4d85f06 (Rajith Muditha Attapattu 2008-09-25 18:35:11 +0000 119)                 
21c61b77 (Rafael H. Schloming      2008-07-09 13:26:54 +0000 120)         if (messageId !=
null)
21c61b77 (Rafael H. Schloming      2008-07-09 13:26:54 +0000 121)         {
21c61b77 (Rafael H. Schloming      2008-07-09 13:26:54 +0000 122)             messageProps.setMessageId(messageId);
21c61b77 (Rafael H. Schloming      2008-07-09 13:26:54 +0000 123)         }

{noformat}

---

Our scenario:

1. Send message to a broker using the JMS client; authenticate as user: 'tester'
2. Consume message from destination queue as user 'mgmt'

{noformat}
Result: "unauthorized-access: authorised user id : mgmt@QPID but user id in message declared
as tester (/builddir/build/BUILD/qpid-0.28-rc2/cpp/src/qpid/broker/SemanticState.cpp:497"
{noformat}

---

I'll work on providing a full end to end simple example for this.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message